Re: lockdown desktop without Group Policy

Hi Tony,

The instructions are *not* meant for use on a DC.

Please reset the permissions on the GroupPolicy folder to default using the following instructions:

1. Logon to the DC as an administrator

2. Open up windows explorer and browse to the following folder (make sure that view hidden files is enabled):

C:\WINDOWS\system32\GroupPolicy

3. Right-click on the GroupPolicy folder and choose Properties - Security tab - Advanced button - Owner tab

4. Select Administrators for the owner and check "Replace owner on subcontainers and objects", click OK and Yes

5. Close the GroupPolicy folder Properties window

6. Right-click on the GroupPolicy folder and choose Properties - Security tab - Advanced button - Permissions tab

7. Use the Add & Remove buttons as needed until you have *only* the following Permissions entries in the list:

Allow Authenticated Users Read & Execute <not inherited> This folder, subfolders and files
Allow Server Operators Read & Execute <not inherited> This folder, subfolders and files
Allow Administrators Full Control <not inherited> This folder, subfolders and files
Allow CREATOR OWNER Full Control <not inherited> Subfolders and files only
Allow SYSTEM Full Control <not inherited> This folder, subfolders and files

Note: Read & Execute consists of the following individual permissions, check all of them when adding the entry:

Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Read Permissions

8. Check "Replace permission entries on all child objects with entries shown here that apply to child objects"

9. Click OK and then Yes to confirm

Thanks.

-TP

Tonky wrote:
Dear Vera

I have a similar issue, but on a Server 2003 R2 SP1 box which is a DC
and so I followed the instructions for GP Editor as suggested by TP.
All seemed to go well until accessing the desktop shortcut created in
the last step. A Command prompt appears requesting the gpedit
password. When I attempt to type it in, nothing appears but the
Command Line disappears launching Group Policy Editor saying access
denied.

Something obviously went wrong, which could stem back to editing the
security settings for gpt.ini, which suggested changes couldn't be
made as it was read only, but it appeared to make changes all the
same as all existing security groups were removed from the list.

I can now no longer edit group policy.

Any help?

Many thanks.

Tony
.